CN111291372B - Method and device for detecting files of terminal equipment based on software gene technology - Google Patents

Method and device for detecting files of terminal equipment based on software gene technology Download PDF

Info

Publication number
CN111291372B
CN111291372B CN202010069707.3A CN202010069707A CN111291372B CN 111291372 B CN111291372 B CN 111291372B CN 202010069707 A CN202010069707 A CN 202010069707A CN 111291372 B CN111291372 B CN 111291372B
Authority
CN
China
Prior art keywords
file
hash
unknown
files
malicious
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010069707.3A
Other languages
Chinese (zh)
Other versions
CN111291372A (en
Inventor
胡逸漪
陈鹏
刘旭
章丽娟
张甜
姜威
王禹翔
张汪洋
陈振兴
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Roarpanda Network Technology Co ltd
Original Assignee
Shanghai Roarpanda Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Roarpanda Network Technology Co ltd filed Critical Shanghai Roarpanda Network Technology Co ltd
Priority to CN202010069707.3A priority Critical patent/CN111291372B/en
Publication of CN111291372A publication Critical patent/CN111291372A/en
Application granted granted Critical
Publication of CN111291372B publication Critical patent/CN111291372B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application discloses a method and a device for detecting a terminal device file based on a software gene technology. The method is used for a server side and comprises the following steps: transmitting a script file and a first hash list to terminal equipment, wherein the script file is a script file matched with an operating system of the terminal equipment, and the first hash list comprises a plurality of hash values corresponding to software recorded in a preset software library; and receiving an unknown file sent from the terminal equipment, and detecting the unknown file, wherein the unknown file is a file which cannot be confirmed to be a malicious file or a non-malicious file through comparing hash values.

Description

Method and device for detecting files of terminal equipment based on software gene technology
Technical Field
The application relates to the technical field of network security, in particular to a method and a device for detecting a terminal device file based on a software gene technology.
Background
With the development of the internet, more and more lawbreakers utilize various vulnerabilities existing in the network to attack terminal equipment of other people maliciously, so that users are lost to different degrees. Therefore, how to identify malicious files that may bring potential safety hazards to terminal devices becomes one of the important issues of network security research.
At present, the malicious detection of files is widely performed by installing antivirus software in a terminal system. However, this detection method cannot be applied to various operating systems at the same time, resulting in poor compatibility; when the terminal equipment installs and runs the antivirus software, a large amount of resources of the system are occupied especially in the detection running process; and the antivirus software in the market is very many, and whether the antivirus software itself has potential safety hazards such as loopholes, etc., the user can't distinguish basically.
Aiming at the technical problems that the compatibility is poor, a large amount of system resources are required to be occupied and unknown vulnerability threats which are difficult to identify by users exist in the prior art caused by directly installing the antivirus software in the terminal system due to different operating systems, no effective solution is proposed at present.
Disclosure of Invention
The embodiment of the disclosure provides a method and a device for detecting a terminal device file based on a software gene technology, which at least solve the technical problems that in the prior art, the compatibility is poor, a large amount of system resources are required to be occupied, and unknown vulnerability threats which are difficult to identify by users exist in the antivirus software due to different operating systems when the antivirus software is directly installed in a terminal system.
According to an aspect of the embodiments of the present disclosure, there is provided a method for detecting a file of a terminal device based on a software genetic technology, for a server, including: transmitting a script file and a first hash list to terminal equipment, wherein the script file is a script file matched with an operating system of the terminal equipment, and the first hash list comprises a plurality of hash values corresponding to software recorded in a preset software library; and receiving an unknown file sent from the terminal equipment, and detecting the unknown file, wherein the unknown file is a file which cannot be confirmed to be a malicious file or a non-malicious file by comparing the hash values.
According to an aspect of the embodiments of the present disclosure, there is provided a method for detecting a file of a terminal device based on a software genetic technology, for the terminal device, including: receiving a script file and a first hash list sent from a server side, and traversing files in a file system by utilizing the script file; the first hash list comprises a plurality of hash values corresponding to software recorded in a preset software library; generating a corresponding second hash list according to the traversed file, wherein the second hash list comprises a plurality of hash values, and the hash values respectively correspond to the traversed file; comparing the first hash list with the second hash list by utilizing the script file, and determining unknown files in the file system, wherein the unknown files are files which cannot be confirmed to be malicious files or non-malicious files through comparison of hash values; and sending the unknown file to the server.
According to another aspect of the embodiments of the present disclosure, there is also provided a storage medium including a stored program, wherein the method of any one of the above is performed by a processor when the program is run.
According to another aspect of the embodiments of the present disclosure, there is further provided an apparatus for detecting a file of a terminal device based on a software genetic technology, where the apparatus is used at a server side, and includes: the device comprises a sending module, a first hash list and a second hash module, wherein the sending module is used for sending a script file and the first hash list to the terminal equipment, the script file is a script file matched with an operating system of the terminal equipment, and the first hash list comprises a plurality of hash values corresponding to software recorded in a preset software library; and the detection module is used for receiving the unknown file sent from the terminal equipment and detecting the unknown file, wherein the unknown file is a file which cannot be confirmed to be a malicious file or a non-malicious file through comparing the hash values.
According to another aspect of the embodiments of the present disclosure, there is also provided an apparatus for detecting a file of a terminal device based on a software genetic technology, for the terminal device, including: the traversal module is used for receiving the script file and the first hash list sent from the server side and traversing the files in the file system by utilizing the script file; the first hash list comprises a plurality of hash values corresponding to software recorded in a preset software library; the generation module is used for generating a corresponding second hash list according to the traversed file, wherein the second hash list comprises a plurality of hash values, and the hash values respectively correspond to the traversed file; the comparison module is used for comparing the first hash list with the second hash list by utilizing the script file and determining unknown files in the file system, wherein the unknown files are files which cannot be confirmed to be malicious files or non-malicious files through comparison of hash values; and the sending module is used for sending the unknown file to the server.
According to another aspect of the embodiments of the present disclosure, there is further provided an apparatus for detecting a file of a terminal device based on a software genetic technology, where the apparatus is used at a server side, and includes: a first processor; and a first memory, coupled to the first processor, for providing instructions to the first processor to process the steps of: transmitting a script file and a first hash list to terminal equipment, wherein the script file is a script file matched with an operating system of the terminal equipment, and the first hash list comprises a plurality of hash values corresponding to software recorded in a preset software library; and receiving an unknown file sent from the terminal equipment, and detecting the unknown file, wherein the unknown file is a file which cannot be confirmed to be a malicious file or a non-malicious file by comparing the hash values.
According to another aspect of the embodiments of the present disclosure, there is also provided an apparatus for detecting a file of a terminal device based on a software genetic technology, for the terminal device, including: a second processor; and a second memory, coupled to the second processor, for providing instructions to the second processor to process the steps of: receiving a script file and a first hash list sent from a server side, and traversing files in a file system by utilizing the script file; the first hash list comprises a plurality of hash values corresponding to software recorded in a preset software library; generating a corresponding second hash list according to the traversed file, wherein the second hash list comprises a plurality of hash values, and the hash values respectively correspond to the traversed file; comparing the first hash list with the second hash list by utilizing the script file, and determining unknown files in the file system, wherein the unknown files are files which cannot be confirmed to be malicious files or non-malicious files through comparison of hash values; and sending the unknown file to the server.
In the embodiment of the disclosure, a server sends a script file matched with an operating system of a terminal device and a first hash list of a preset software library to the terminal device. The terminal equipment traverses the files in the file system through the script files to generate a second hash list, compares the first hash category with the second hash list, determines unknown files which cannot be judged to be malicious files and non-malicious files, and sends the unknown files to the server. The server judges the maliciousness of the unknown file by carrying out software gene detection on the unknown file, and generates a corresponding detection report. Because the antivirus software is not required to be installed in the terminal equipment, the compatibility problem of the system is not required to be considered, the detection need to occupy extremely large resources during the running of the antivirus software is not required to be considered, and the safety of the antivirus software and whether the loopholes exist are not required to be considered. The method and the device solve the technical problems that in the prior art, the compatibility is poor due to the fact that the antivirus software is directly installed in the terminal system, a large amount of system resources are required to be occupied, and unknown vulnerability threats which are difficult to identify by users exist in the antivirus software.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure, illustrate and explain the present disclosure, and together with the description serve to explain the present disclosure. In the drawings:
fig. 1 is a hardware block diagram of a computer terminal for implementing a method according to embodiment 1 of the present disclosure;
FIG. 2 is a schematic diagram of a system for detecting a file of a terminal device based on a software genetic technique according to embodiment 1 of the present disclosure;
FIG. 3 is a flow chart of a method for detecting a file of a terminal device based on a software gene technology according to a first aspect of embodiment 1 of the present disclosure;
FIG. 4 is a flow chart of a method for detecting a file of a terminal device based on a software gene technology according to a second aspect of embodiment 1 of the present disclosure;
FIG. 5 is a schematic diagram of a system architecture for detecting a file of a terminal device based on a software genetic technique according to embodiment 1of the present disclosure;
fig. 6 is a schematic diagram of a detection flow of a method for detecting a file of a terminal device based on a software gene technology according to embodiment 1of the disclosure;
FIG. 7 is a schematic diagram of an apparatus for detecting a file of a terminal device based on a software genetic technique according to a first aspect of embodiment 2 of the present disclosure;
FIG. 8 is a schematic diagram of an apparatus for detecting a file of a terminal device based on a software genetic technique according to a second aspect of embodiment 2 of the present disclosure;
FIG. 9 is a schematic diagram of an apparatus for detecting a file of a terminal device based on a software genetic technique according to the first aspect of embodiment 3 of the present disclosure; and
Fig. 10 is a schematic diagram of an apparatus for detecting a file of a terminal device based on a software genetic technology according to a second aspect of embodiment 3 of the present disclosure.
Detailed Description
In order to better understand the technical solutions of the present disclosure, the following description will clearly and completely describe the technical solutions of the embodiments of the present disclosure with reference to the drawings in the embodiments of the present disclosure. It will be apparent that the described embodiments are merely embodiments of a portion, but not all, of the present disclosure. All other embodiments, which can be made by one of ordinary skill in the art without inventive effort, based on the embodiments in this disclosure, shall fall within the scope of the present disclosure.
It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and in the foregoing figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the disclosure described herein may be capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
According to the present embodiment, there is also provided an embodiment of a method for detecting a file of a terminal device based on a software genetic technique, it should be noted that the steps illustrated in the flowchart of the drawing may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different from that herein.
The method embodiments provided by the present embodiments may be performed in a mobile terminal, a computer terminal, a server, or similar computing device. FIG. 1 illustrates a block diagram of a hardware architecture of a computing device for implementing detection of terminal device files based on software genetic techniques. As shown in fig. 1, the computing device may include one or more processors (which may include, but are not limited to, a microprocessor MCU, a programmable logic device FPGA, etc., processing means), memory for storing data, and transmission means for communication functions. In addition, the method may further include: a display, an input/output interface (I/O interface), a Universal Serial Bus (USB) port (which may be included as one of the ports of the I/O interface), a network interface, a power supply, and/or a camera. It will be appreciated by those of ordinary skill in the art that the configuration shown in fig. 1 is merely illustrative and is not intended to limit the configuration of the electronic device described above. For example, the computing device may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
It should be noted that the one or more processors and/or other data processing circuits described above may be referred to herein generally as "data processing circuits. The data processing circuit may be embodied in whole or in part in software, hardware, firmware, or any other combination. Furthermore, the data processing circuitry may be a single stand-alone processing module, or incorporated in whole or in part into any of the other elements in the computing device. As referred to in the embodiments of the present disclosure, the data processing circuit acts as a processor control (e.g., selection of the variable resistance termination path to interface with).
The memory may be used to store software programs and modules of application software, such as a program instruction/data storage device corresponding to a method for detecting a file of a terminal device based on a software gene technology in an embodiment of the disclosure, and the processor executes various functional applications and data processing by running the software programs and modules stored in the memory, that is, a method for detecting a file of a terminal device based on the software gene technology to implement the above application program. The memory may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid state memory. In some examples, the memory may further include memory remotely located with respect to the processor, which may be connected to the computing device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission means is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communications provider of the computing device. In one example, the transmission means includes a network adapter (Network Interface Controller, NIC) that can be connected to other network devices via the base station to communicate with the Internet. In one example, the transmission device may be a Radio Frequency (RF) module, which is used to communicate with the internet wirelessly.
The display may be, for example, a touch screen type Liquid Crystal Display (LCD) that may enable a user to interact with a user interface of the computing device.
It should be noted herein that in some alternative embodiments, the computing device shown in FIG. 1 described above may include hardware elements (including circuitry), software elements (including computer code stored on a computer-readable medium), or a combination of both hardware and software elements. It should be noted that fig. 1 is only one example of a particular specific example and is intended to illustrate the types of components that may be present in the computing devices described above.
Fig. 2 is a schematic diagram of a system for detecting a file of a terminal device based on a software gene technology according to the present embodiment. Referring to fig. 2, the system includes: terminal device 100, server 200, and software library 300 set in advance. The terminal device 100 may be a notebook computer, a mobile terminal, an intelligent device, an embedded device, etc., and may have different operating systems, for example Windows, android, IOS, linux. It should be noted that the above-described hardware configuration may be applied to both the terminal device 100 and the server 200 in the system.
In the above-described operating environment, according to the first aspect of the present embodiment, there is provided a method for detecting a file of a terminal device based on a software gene technology, for a server side, which is implemented by the server 200 shown in fig. 2. Fig. 3 shows a schematic flow chart of the method, and referring to fig. 3, the method includes:
S302: transmitting a script file and a first hash list to terminal equipment, wherein the script file is a script file matched with an operating system of the terminal equipment, and the first hash list comprises a plurality of hash values corresponding to software recorded in a preset software library; and
S304: and receiving an unknown file sent from the terminal equipment, and detecting the unknown file, wherein the unknown file is a file which cannot be confirmed to be a malicious file or a non-malicious file through comparing hash values.
Specifically, first, the server 200 establishes a link for remote communication with the terminal device 100, for example, the server 200 obtains the IP, account number, password, and type of the terminal device by way of an interface based on the B/S architecture, establishes communication with the terminal device 100 through a remote link tool (for example, a remote link tool such as SSH, RDP, etc.), and transmits a script file and a first hash list to the first terminal device 100. The server 200 includes a set of open source scripts corresponding to terminal devices of different operating systems, and the server 100 sends script files matched with the operating systems of the terminal device 100 to the terminal device 100. For example, the terminal device 100 is a windows operation device, and the script file sent by the server 200 to the terminal device 100 is a script file compatible with the windows operation device; the terminal device 100 is a linux operating device, and the script file sent by the server 200 to the terminal device 100 is a script file compatible with the linux operating device. The first hash list contains a plurality of hash values corresponding to software recorded in a preset software library.
Further, the terminal device 100 traverses the files in the file system through the script files, generates a second hash list, and compares the second hash list with the first hash list to determine unknown files in the file system, wherein the unknown files are files which cannot be determined to be malicious files or non-malicious files through comparison of hash values. The terminal device 100 sends the unknown files to the server 200, and the server 200 detects the unknown files to obtain a detection result.
In this way, the server then sends the script file to the terminal device that matches the operating system of the terminal device. The terminal equipment traverses the files in the file system through the script files, compares the hash values, determines the unknown files, then sends the unknown files to the server, and the server detects the unknown files and judges the maliciousness of the unknown files.
Optionally, receiving the unknown file sent from the terminal device, and detecting the unknown file, and at least one operation of: extracting software genes of unknown files, and detecting the software genes; carrying out sandbox analysis on the unknown file; and detecting malicious features of the unknown file.
Specifically, the server 200 may extract a software gene of an unknown file, detect the software gene, and determine that the unknown file is a malicious file if the software gene is not secure. The software genes in the unknown file are detected to judge whether the unknown file is a malicious file or not, and the security of the unknown file is detected. Server 200 may also perform sandboxed analysis on unknown files. The sandbox is a virtual system program, so that the sandbox can be used as a separate virtual environment for testing unknown files which cannot be determined. For example, the server 200 runs an unknown file in a virtual environment, thereby judging whether the unknown file is a malicious file according to the running situation. Server 200 may also perform malicious feature detection on an unknown file to detect whether the unknown file contains malicious features that may compromise terminal device 100. Thereby detecting the unknown file through a plurality of detection modes.
Optionally, after the operation of receiving the unknown file sent from the terminal device and detecting the unknown file, the method further includes: and generating a detection report according to the detection result.
Specifically, after the server 200 detects the unknown file, a corresponding detection report is generated, so that the user can view the detection report through the server 200. Thus, these files are processed for later use, thereby protecting the security of the user's terminal equipment.
Thus according to the first aspect of the present embodiment, the server transmits to the terminal device a script file that matches the operating system of the terminal device. The terminal equipment traverses the files in the file system through the script files, compares the hash values, determines the unknown files, then sends the unknown files to the server, and the server detects the unknown files and judges the maliciousness of the unknown files. Because the antivirus software is not required to be installed in the terminal equipment, the compatibility problem of the system is not required to be considered, the detection need to occupy extremely large resources during the running of the antivirus software is not required to be considered, and the safety of the antivirus software and whether the loopholes exist are not required to be considered.
Furthermore, according to a second aspect of the present embodiment, there is provided a method of detecting a file of a terminal device based on a software gene technology for the terminal device, the method being implemented by the terminal device 100 shown in fig. 2. Fig. 4 shows a schematic flow chart of the method, and referring to fig. 4, the method includes:
S402: receiving a script file and a first hash list sent from a server side, and traversing files in a file system by utilizing the script file; the first hash list comprises a plurality of hash values corresponding to software recorded in a preset software library;
S404: generating a corresponding second hash list according to the traversed file, wherein the second hash list comprises a plurality of hash values, and the hash values respectively correspond to the traversed file;
S406: comparing the first hash list with the second hash list by utilizing the script file, and determining unknown files in the file system, wherein the unknown files are files which cannot be confirmed to be malicious files or non-malicious files through comparison of hash values; and
S408: and sending the unknown file to the server.
Specifically, first, the terminal device 100 receives the script file and the first hash table transmitted from the server 200. The script file received by the terminal device 100 is a script file matched with the operating system of the terminal device 100. For example, the terminal device 100 is a windows operation device, and the script file received by the terminal device 100 is a script file compatible with the windows operation device; the terminal device 100 is a linux operating device, and the script file received by the terminal device 100 is a script file compatible with the linux operating device. The first hash list contains a plurality of hash values corresponding to software recorded in a preset software library. The terminal device 100 traverses the files in the file system using the script file, for example, traverses the files in the file system of the terminal device using a breadth-first traversal algorithm (corresponding to step S402).
Further, the server 200 generates a corresponding second hash list according to the traversed file, where the second hash list includes a plurality of hash values, and the plurality of hash values corresponds to the traversed file one by one, for example, the first hash value corresponds to the first file, and the second hash value corresponds to the second file, and so on (corresponding to step S404).
Finally, the terminal device 100 compares the first hash list with the second hash list to determine an unknown file in the file system. Wherein the unknown file is an unknown file that cannot be determined as a malicious file or a non-malicious file when the hash value of the file in the second Ha Xilie list cannot find the hash value matching the hash value in the first hash list (corresponding to step S406). The terminal device sends the unknown file to the server 200.
Optionally, comparing the first hash list with the second hash list by using the script file to determine an unknown file in the file system, and further including: comparing the hash values in the first hash list with the hash values in the second hash list, and determining malicious files in the file system according to comparison results; determining non-malicious files in the file system according to the comparison result; and determining an unknown file in the file system according to the comparison result.
Specifically, the terminal device 100 compares the first hash table with the second hash table using the script file, and determines a malicious file, a non-malicious file (normal file), and an unknown file in the file system according to the compared result.
For example, the hash value of one file in the second hash list is a, the terminal device 100 compares the hash value of the file with the hash value of the first hash list in the software library 300 by using the script file, and if the hash value matching the hash value a is in the first list, and the hash value matching the hash value a is the hash value of the malicious software, determines that the file with the hash value a in the file system is a malicious file. The hash value of one file in the second hash list is b, the terminal device 100 compares the hash value of the file with the hash value of the first hash list in the software library 300 by using the script file, and if the hash value matched with the hash value b is in the first list, and the hash value matched with the hash value b is a hash value of non-malicious software (normal software), determines that the file with the hash value b in the file system is a non-malicious file (normal software).
Further, for example, the hash value of one file in the second hash list is c, the terminal device 100 compares the hash value of the file with the hash value of the first hash list in the software library 300 by using the script file, and if the hash value matching the hash value c cannot be found, determines that the file is an unknown file.
Therefore, the non-malicious files or malicious files are searched out by comparing the hash value with a preset software library, other files which cannot be matched with the hash value are unknown files, and the speed of detecting the files is improved.
According to the second aspect of the present embodiment, a script file sent by a server is received, the script file is utilized to traverse files in a file system of a terminal device, a corresponding hash list is generated according to the traversed files, unknown files in the file system are determined according to hash values in the hash list, and the unknown files are sent to the server for detection. Because the antivirus software is not required to be installed in the terminal equipment, the compatibility problem of the system is not required to be considered, the detection need to occupy extremely large resources during the running of the antivirus software is not required to be considered, and the safety of the antivirus software and whether the loopholes exist are not required to be considered.
In addition, a system configuration framework for detecting a file of a terminal device based on a software gene technology is shown with reference to fig. 5. The system is composed of: the system comprises a detection object, a detection engine array, a global software reputation library and a separated software detection module. Detecting an object: refers to various intelligent terminal devices, including: common PCs, servers, smartphones, smart devices, IOT devices, embedded devices, industrial internet facilities, etc.
Detection engine array: a detection engine array is formed by using a plurality of sets of Rongpan-software gene malicious code detection engines, and various detection modes such as software gene, malicious feature, dynamic sandbox, rong Pan cloud online detection and the like are fused to carry out all-round malicious judgment on a detection sample.
Global software reputation library: the system consists of a global software blacklist library and a global software whitelist library. In the intelligent terminal detection process, in order to improve the detection speed, a hash comparison technology is adopted to quickly confirm known normal software and malicious software from a global software reputation library. And for unknown software, pushing the unknown software to a intelligent army system for detection, and considering the accuracy and efficiency of detection.
Separate software detection module: the system consists of a group of open source scripts which respectively correspond to different intelligent terminal systems. The module establishes communication with the intelligent terminal by using a remote link tool, and establishes a hash list for a file system in the terminal by adopting a breadth-first traversal algorithm. By comparison with the global software reputation library, a list of trusted software, a list of malicious software and a list of unknown software are rapidly formed. And finally, calling a detection engine array to detect the maliciousness of the programs in the unknown software list, and finishing the non-implantable detection of the intelligent terminal. The detection flow chart is shown with reference to fig. 6.
Key protection point of this embodiment: 1. the method is safe and controllable without installing a detection program in a terminal file system and executing through a script, wherein the vulnerability does not exist; 2. the cloud detection engine adopts a software gene technology to realize family judgment and provides support for detecting variant malicious codes found in a terminal file system; 3. the method is not limited by the type of the terminal file system, is widely applied to various file systems, and has strong compatibility.
Further, referring to fig. 1, according to a third aspect of the present embodiment, there is provided a storage medium 104. The storage medium 104 includes a stored program, wherein the method of any one of the above is performed by a processor when the program is run.
Thus, according to the present embodiment, the server transmits a script file matched with the operating system of the terminal device and a first hash list of a preset software library to the terminal device. The terminal equipment traverses the files in the file system through the script files to generate a second hash list, compares the first hash category with the second hash list, determines unknown files which cannot be judged to be malicious files and non-malicious files, and sends the unknown files to the server. The server judges the maliciousness of the unknown file by carrying out software gene detection on the unknown file, and generates a corresponding detection report. Because the antivirus software is not required to be installed in the terminal equipment, the compatibility problem of the system is not required to be considered, the detection need to occupy extremely large resources during the running of the antivirus software is not required to be considered, and the safety of the antivirus software and whether the loopholes exist are not required to be considered. The method and the device solve the technical problems that in the prior art, the compatibility is poor due to the fact that the antivirus software is directly installed in the terminal system, a large amount of system resources are required to be occupied, and unknown vulnerability threats which are difficult to identify by users exist in the antivirus software.
It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present invention is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present invention. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required for the present invention.
From the description of the above embodiments, it will be clear to a person skilled in the art that the method according to the above embodiments may be implemented by means of software plus the necessary general hardware platform, but of course also by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present invention.
Example 2
Fig. 7 shows an apparatus 700 for detecting a file of a terminal device based on a software gene technology according to the first aspect of the present embodiment, the apparatus 700 corresponding to the method according to the first aspect of embodiment 1. Referring to fig. 7, the apparatus 700 includes: a sending module 710, configured to send a script file and a first hash list to a terminal device, where the script file is a script file matched with an operating system of the terminal device, and the first hash list includes a plurality of hash values corresponding to software recorded in a preset software library; and a detection module 720, configured to receive an unknown file sent from the terminal device, and detect the unknown file, where the unknown file is a file that cannot be confirmed as a malicious file or a non-malicious file by comparing hash values.
Optionally, the detection module 720 further includes at least one sub-module described below: the gene detection submodule is used for extracting software genes of unknown files and detecting the software genes; the sandbox analysis submodule is used for carrying out sandbox analysis on the unknown file; and the malicious feature detection sub-module is used for detecting malicious features of the unknown file.
Optionally, the detecting module 720 further includes, after receiving the unknown file sent from the terminal device and detecting the unknown file: and the detection sub-module is used for generating a detection report according to the detection result.
Further, fig. 8 shows an apparatus 800 for detecting a file of a terminal device based on a software gene technology according to the second aspect of the present embodiment, the apparatus 800 corresponding to the method according to the second aspect of embodiment 1. Referring to fig. 8, the apparatus 800 includes: the traversing module 810 is configured to receive the script file and the first hash list sent from the server, and traverse the file in the file system by using the script file; the first hash list comprises a plurality of hash values corresponding to software recorded in a preset software library; a generating module 820, configured to generate a corresponding second hash list according to the traversed file, where the second hash list includes a plurality of hash values, and the plurality of hash values respectively correspond to the traversed file; the comparison module 830 is configured to compare the first hash list with the second hash list by using the script file, and determine an unknown file in the file system, where the unknown file is a file that cannot be confirmed as a malicious file or a non-malicious file by comparing the hash values; and a sending module 840, configured to send the unknown file to the server.
Optionally, the comparing module 830 further includes: the comparison sub-module is used for comparing the hash values in the first hash list with the hash values in the second hash list, and the first determination sub-module is used for determining malicious files in the file system according to comparison results; the second determining submodule is used for determining non-malicious files in the file system according to the comparison result; and a third determining sub-module, configured to determine an unknown file in the file system according to the comparison result.
Thus, according to the present embodiment, the server transmits a script file matched with the operating system of the terminal device and a first hash list of a preset software library to the terminal device. The terminal equipment traverses the files in the file system through the script files to generate a second hash list, compares the first hash category with the second hash list, determines unknown files which cannot be judged to be malicious files and non-malicious files, and sends the unknown files to the server. The server judges the maliciousness of the unknown file by carrying out software gene detection on the unknown file, and generates a corresponding detection report. Because the antivirus software is not required to be installed in the terminal equipment, the compatibility problem of the system is not required to be considered, the detection need to occupy extremely large resources during the running of the antivirus software is not required to be considered, and the safety of the antivirus software and whether the loopholes exist are not required to be considered. The method and the device solve the technical problems that in the prior art, the compatibility is poor due to the fact that the antivirus software is directly installed in the terminal system, a large amount of system resources are required to be occupied, and unknown vulnerability threats which are difficult to identify by users exist in the antivirus software.
Example 3
Fig. 9 shows an apparatus 900 for detecting a file of a terminal device based on a software gene technology according to the first aspect of the present embodiment, the apparatus 900 corresponding to the method according to the first aspect of embodiment 1. Referring to fig. 9, the apparatus 900 includes: a first processor 910; and a first memory 920 coupled to the first processor 910 for providing instructions to the first processor 910 for processing the following processing steps: transmitting a script file and a first hash list to terminal equipment, wherein the script file is a script file matched with an operating system of the terminal equipment, and the first hash list comprises a plurality of hash values corresponding to software recorded in a preset software library; and receiving an unknown file sent from the terminal equipment, and detecting the unknown file, wherein the unknown file is a file which cannot be confirmed to be a malicious file or a non-malicious file by comparing the hash values.
Optionally, receiving the unknown file sent from the terminal device, and detecting the unknown file, and at least one operation of: extracting software genes of unknown files, and detecting the software genes; carrying out sandbox analysis on the unknown file; and detecting malicious features of the unknown file.
Optionally, after the operation of receiving the unknown file sent from the terminal device and detecting the unknown file, the method further includes: and generating a detection report according to the detection result.
Further, fig. 10 shows an apparatus 1000 for detecting a file of a terminal device based on a software gene technology according to the second aspect of the present embodiment, the apparatus 1000 corresponding to the method according to the second aspect of embodiment 1. Referring to fig. 10, the apparatus 1000 includes: a second processor 1010; and a second memory 1020 coupled to the second processor 1010 for providing instructions to the second processor 1010 for processing the following processing steps: receiving a script file and a first hash list sent from a server side, and traversing files in a file system by utilizing the script file; the first hash list comprises a plurality of hash values corresponding to software recorded in a preset software library; generating a corresponding second hash list according to the traversed file, wherein the second hash list comprises a plurality of hash values, and the hash values respectively correspond to the traversed file; comparing the first hash list with the second hash list by utilizing the script file, and determining unknown files in the file system, wherein the unknown files are files which cannot be confirmed to be malicious files or non-malicious files through comparison of hash values; and sending the unknown file to the server.
Optionally, comparing the first hash list with the second hash list by using the script file to determine an unknown file in the file system, and further including: comparing the hash values in the first hash list with the hash values in the second hash list, and determining malicious files in the file system according to comparison results; determining non-malicious files in the file system according to the comparison result; and determining an unknown file in the file system according to the comparison result.
Thus, according to the present embodiment, the server transmits a script file matched with the operating system of the terminal device and a first hash list of a preset software library to the terminal device. The terminal equipment traverses the files in the file system through the script files to generate a second hash list, compares the first hash category with the second hash list, determines unknown files which cannot be judged to be malicious files and non-malicious files, and sends the unknown files to the server. The server judges the maliciousness of the unknown file by carrying out software gene detection on the unknown file, and generates a corresponding detection report. Because the antivirus software is not required to be installed in the terminal equipment, the compatibility problem of the system is not required to be considered, the detection need to occupy extremely large resources during the running of the antivirus software is not required to be considered, and the safety of the antivirus software and whether the loopholes exist are not required to be considered. The method and the device solve the technical problems that in the prior art, the compatibility is poor due to the fact that the antivirus software is directly installed in the terminal system, a large amount of system resources are required to be occupied, and unknown vulnerability threats which are difficult to identify by users exist in the antivirus software.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
In the foregoing embodiments of the present invention, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed technology may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of the units, such as the division of the units, is merely a logical function division, and may be implemented in another manner, for example, multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present invention, which are intended to be comprehended within the scope of the present invention.

Claims (3)

1. A method for detecting a file of a terminal device, which is used for a server, and is characterized by comprising the following steps:
Transmitting a script file and a first hash list to terminal equipment, wherein the script file is a script file matched with an operating system of the terminal equipment, and the first hash list comprises a plurality of hash values corresponding to software recorded in a preset software library; and
Receiving an unknown file sent from a terminal device, and detecting the unknown file, wherein the unknown file is a file which cannot be confirmed to be a malicious file or a non-malicious file by comparing hash values;
the method receives the unknown file sent from the terminal equipment, detects the unknown file and further comprises at least one operation of the following steps:
extracting a software gene of the unknown file, and detecting the software gene;
Carrying out sandbox analysis on the unknown file; and
Detecting malicious features of the unknown file;
The method further comprises the following steps after receiving the unknown file sent from the terminal equipment and detecting the unknown file:
generating a detection report according to the detection result;
Receiving a script file and a first hash list sent from a server side, and traversing files in a file system by utilizing the script file; the first hash list comprises a plurality of hash values corresponding to software recorded in a preset software library;
Generating a corresponding second hash list according to the traversed file, wherein the second hash list comprises a plurality of hash values, and the hash values respectively correspond to the traversed file;
the method compares the first hash list with the second hash list by using the script file to determine an unknown file in the file system, and further comprises:
Comparing the plurality of hash values in the first hash list with hash values in a second hash list,
Determining malicious files in the file system according to the comparison result;
Determining non-malicious files in the file system according to the comparison result; and
Determining unknown files in the file system according to the comparison result;
the method specifically comprises the following steps:
receiving an unknown file sent from a terminal device, and detecting the unknown file, wherein the unknown file is a file which cannot be confirmed to be a malicious file or a non-malicious file through comparing hash values;
The server establishes a remote communication link with the terminal equipment;
traversing the files in the file system by the terminal equipment through the script files, generating a second hash list, comparing the second hash list with the first hash list, and determining unknown files in the file system, wherein the unknown files are files which cannot be determined to be malicious files or non-malicious files through comparison of hash values; the terminal equipment sends the unknown file to the server, and the server detects the unknown file to obtain a detection result;
The server sends the script file matched with the operating system of the terminal equipment to the terminal equipment; the terminal equipment traverses the files in the file system through the script files, compares the hash values, determines an unknown file, then sends the unknown file to the server, and the server detects the unknown file and judges the maliciousness of the unknown file;
Receiving an unknown file sent from a terminal device, detecting the unknown file, and at least one operation of: extracting software genes of unknown files, and detecting the software genes; carrying out sandbox analysis on the unknown file; detecting malicious features of an unknown file;
The server extracts a software gene of an unknown file, detects the software gene, and determines the unknown file as a malicious file if the software gene is unsafe; judging whether the unknown file is a malicious file or not by detecting a software gene in the unknown file, and detecting the security of the unknown file; the server performs sandbox analysis on the unknown file;
after receiving the unknown file sent from the terminal device and detecting the unknown file, the method further comprises the following steps: generating a detection report according to the detection result;
After detecting the unknown file, the server generates a corresponding detection report so as to process the file;
The server sends the script file matched with the operating system of the terminal equipment to the terminal equipment; the terminal equipment traverses the files in the file system through the script files, compares the hash values, determines an unknown file, sends the unknown file to the server, and the server detects the unknown file and judges the maliciousness of the unknown file;
And specifically further comprises:
The terminal equipment receives a script file and a first hash table which are sent by a server; the script file received by the terminal equipment is a script file matched with an operating system of the terminal equipment;
The server generates a second hash list according to the traversed file, wherein the second hash list comprises a plurality of hash values, and the hash values are in one-to-one correspondence with the traversed file;
The terminal equipment compares the first hash list with the second hash list and determines unknown files in the file system; the unknown file is a file which cannot be determined to be a malicious file or a non-malicious file when the hash value of the file in the second Ha Xilie list cannot find the hash value matched with the hash value in the first hash list; the terminal equipment sends the unknown file to a server;
comparing the first hash list with the second hash list by using the script file to determine an unknown file in the file system, and further comprising: comparing the hash values in the first hash list with the hash values in the second hash list, and determining malicious files in the file system according to comparison results; determining non-malicious files in the file system according to the comparison result; determining an unknown file in the file system according to the comparison result;
The terminal equipment compares the first hash list with the second hash list by utilizing the script file, and determines malicious files, non-malicious files and unknown files in the file system according to the comparison result;
The hash value of one file in the second hash list is a, the terminal equipment compares the hash value of the file with the hash value of a first hash list in a software library by utilizing a script file, and if the hash value matched with the hash value a exists in the first list, the hash value matched with the hash value a is the hash value of malicious software, the file with the hash value a in a file system is determined to be a malicious file; the hash value of one file in the second hash list is b, the terminal equipment compares the hash value of the file with the hash value of a first hash list in a software library by utilizing a script file, and if the hash value matched with the hash value b exists in the first list, and the hash value matched with the hash value b is a hash value of non-malicious software, the file with the hash value b in the file system is determined to be a non-malicious file;
The hash value of one file in the second hash list is c, the terminal equipment compares the hash value of the file with the hash value of the first hash list in the software library by utilizing the script file, and if the hash value matched with the hash value c cannot be found, the file is determined to be an unknown file;
comparing the hash value with a preset software library, and searching out non-malicious files or malicious files, wherein other files which cannot be matched with the hash value are unknown files;
Traversing files in a file system of terminal equipment by using script files sent by a server, generating a corresponding hash list according to the traversed files, determining unknown files in the file system according to hash values in the hash list, and sending the unknown files to the server for detection;
The server sends a script file matched with an operating system of the terminal equipment and a first hash list of a preset software library to the terminal equipment; the terminal equipment traverses the files in the file system through the script files to generate a second hash list, compares the first hash category with the second hash list, determines unknown files which cannot be judged to be malicious files and non-malicious files, and sends the unknown files to the server.
2. A storage medium comprising a stored program, wherein the method of claim 1 is performed by a processor when the program is run.
3. A device for detecting a file of a terminal device, which is used for a server, and is characterized by comprising:
the terminal equipment comprises a sending module, a first hash list and a second hash list, wherein the sending module is used for sending a script file and the first hash list to the terminal equipment, the script file is matched with an operating system of the terminal equipment, and the first hash list comprises a plurality of hash values corresponding to software recorded in a preset software library; and
The detection module is used for receiving an unknown file sent from the terminal equipment and detecting the unknown file, wherein the unknown file is a file which cannot be confirmed to be a malicious file or a non-malicious file through comparison of hash values;
The method is realized by means of software and a necessary general hardware platform;
For a terminal device, comprising:
The traversal module is used for receiving the script file and the first hash list sent from the server side and traversing the files in the file system of the terminal equipment by utilizing the script file; the first hash list comprises a plurality of hash values corresponding to software recorded in a preset software library;
The generation module is used for generating a corresponding second hash list according to the traversed file, wherein the second hash list comprises a plurality of hash values, and the hash values respectively correspond to the traversed file;
The comparison module is used for comparing the first hash list with the second hash list by utilizing the script file to determine an unknown file in the file system, wherein the unknown file is a file which cannot be confirmed to be a malicious file or a non-malicious file through comparison of hash values; and
The sending module is used for sending the unknown file to a server;
The contrast module, still include: the comparison sub-module is used for comparing the hash values in the first hash list with the hash values in the second hash list, and the first determination sub-module is used for determining malicious files in the file system according to comparison results; the second determining submodule is used for determining non-malicious files in the file system according to the comparison result; the third determining submodule is used for determining unknown files in the file system according to the comparison result; the server sends a script file matched with an operating system of the terminal equipment and a first hash list of a preset software library to the terminal equipment; traversing the files in the file system by the terminal equipment through the script files to generate a second hash list, comparing the first hash category with the second hash list by the terminal equipment, determining unknown files which cannot be judged to be malicious files and non-malicious files, and sending the unknown files to the server by the terminal equipment;
The method is used for a server and comprises the following steps:
A first processor; and
A first memory, coupled to the first processor, for providing instructions to the first processor to process the following processing steps:
Transmitting a script file and a first hash list to terminal equipment, wherein the script file is a script file matched with an operating system of the terminal equipment, and the first hash list comprises a plurality of hash values corresponding to software recorded in a preset software library; and
Receiving an unknown file sent from a terminal device, and detecting the unknown file, wherein the unknown file is a file which cannot be confirmed to be a malicious file or a non-malicious file by comparing hash values;
comparing the first hash list with the second hash list by using the script file to determine an unknown file in the file system, and further comprising: comparing the hash values in the first hash list with the hash values in the second hash list, and determining malicious files in the file system according to comparison results; determining non-malicious files in the file system according to the comparison result; determining an unknown file in the file system according to the comparison result;
For a terminal device, comprising:
A second processor; and
A second memory, coupled to the second processor, for providing instructions to the second processor to process the following processing steps:
Receiving a script file and a first hash list sent from a server side, and traversing files in a file system by utilizing the script file; the first hash list comprises a plurality of hash values corresponding to software recorded in a preset software library;
Generating a corresponding second hash list according to the traversed file, wherein the second hash list comprises a plurality of hash values, and the hash values respectively correspond to the traversed file;
Comparing the first hash list with the second hash list by utilizing the script file, and determining an unknown file in the file system, wherein the unknown file is a file which cannot be confirmed to be a malicious file or a non-malicious file through a comparison hash value; and
Sending the unknown file to a server;
the server judges the maliciousness of the unknown file by carrying out software gene detection on the unknown file, and generates a corresponding detection report.
CN202010069707.3A 2020-01-21 2020-01-21 Method and device for detecting files of terminal equipment based on software gene technology Active CN111291372B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010069707.3A CN111291372B (en) 2020-01-21 2020-01-21 Method and device for detecting files of terminal equipment based on software gene technology

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010069707.3A CN111291372B (en) 2020-01-21 2020-01-21 Method and device for detecting files of terminal equipment based on software gene technology

Publications (2)

Publication Number Publication Date
CN111291372A CN111291372A (en) 2020-06-16
CN111291372B true CN111291372B (en) 2024-04-30

Family

ID=71028420

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010069707.3A Active CN111291372B (en) 2020-01-21 2020-01-21 Method and device for detecting files of terminal equipment based on software gene technology

Country Status (1)

Country Link
CN (1) CN111291372B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112613074A (en) * 2020-12-30 2021-04-06 绿盟科技集团股份有限公司 Sensitive file identification method, device, equipment and medium
CN113536308B (en) * 2021-06-11 2023-01-06 中国人民解放军战略支援部队信息工程大学 Binary code tracing method for multi-granularity information fusion under software gene view angle
CN115906079A (en) * 2022-11-16 2023-04-04 北京微步在线科技有限公司 File detection method, file detection system and file detection device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108337153A (en) * 2018-01-19 2018-07-27 论客科技(广州)有限公司 A kind of monitoring method of mail, system and device
CN108932430A (en) * 2018-07-02 2018-12-04 北京大学 A kind of malware detection method based on software gene technology
CN109960932A (en) * 2017-12-22 2019-07-02 北京安天网络安全技术有限公司 File test method, device and terminal device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109960932A (en) * 2017-12-22 2019-07-02 北京安天网络安全技术有限公司 File test method, device and terminal device
CN108337153A (en) * 2018-01-19 2018-07-27 论客科技(广州)有限公司 A kind of monitoring method of mail, system and device
WO2019141091A1 (en) * 2018-01-19 2019-07-25 论客科技(广州)有限公司 Method, system, and device for mail monitoring
CN108932430A (en) * 2018-07-02 2018-12-04 北京大学 A kind of malware detection method based on software gene technology

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
肖锦琦 ; 王俊峰 ; .基于模糊哈希特征表示的恶意软件聚类方法.四川大学学报(自然科学版).2018,(第03期),全文. *

Also Published As

Publication number Publication date
CN111291372A (en) 2020-06-16

Similar Documents

Publication Publication Date Title
CN109711171B (en) Method, device and system for positioning software bugs, storage medium and electronic device
US11438365B2 (en) Hierarchical risk assessment and remediation of threats in mobile networking environment
Nissim et al. USB-based attacks
EP3375159B1 (en) Dynamic honeypot system
US10715542B1 (en) Mobile application risk analysis
CN111291372B (en) Method and device for detecting files of terminal equipment based on software gene technology
US9438623B1 (en) Computer exploit detection using heap spray pattern matching
RU2680736C1 (en) Malware files in network traffic detection server and method
KR101256295B1 (en) Collaborative malware detection and prevention on mobile devices
US10348755B1 (en) Systems and methods for detecting network security deficiencies on endpoint devices
US8966642B2 (en) Trust verification of a computing platform using a peripheral device
US10033745B2 (en) Method and system for virtual security isolation
US9426161B2 (en) Device-based authentication for secure online access
US9730075B1 (en) Systems and methods for detecting illegitimate devices on wireless networks
CN111737696A (en) Method, system and equipment for detecting malicious file and readable storage medium
US10068089B1 (en) Systems and methods for network security
EP3136276A1 (en) System and method for detecting harmful files executable on a virtual stack machine
US10885162B2 (en) Automated determination of device identifiers for risk-based access control in a computer network
US10262137B1 (en) Security recommendations based on incidents of malware
US9622081B1 (en) Systems and methods for evaluating reputations of wireless networks
US10893058B1 (en) Malware detection and alerting for network connected devices based on traffic flow analysis on local network
US9882931B1 (en) Systems and methods for detecting potentially illegitimate wireless access points
CN110099041B (en) Internet of things protection method, equipment and system
US9332023B1 (en) Uploading signatures to gateway level unified threat management devices after endpoint level behavior based detection of zero day threats
CN113127875A (en) Vulnerability processing method and related equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant